Dynamic Software Updates for Unmodified Browsers through Multi-Version Execution SIDDHANTH VENKATESHWARAN, ELLEN KIDANE, and LUÍS PINA, University of Illinois at Chicago, USA Browsers are the main way in which most users experience the internet, which makes them a prime target for malicious entities. The best defense for the common user is to keep their browser always up-to-date, installing updates as soon as they are available. Unfortunately, updating a browser is disruptive as it results in loss of user state. Even though modern browsers reopen all pages (tabs) after an update to minimize inconvenience, this approach still loses all local user state in each page (e.g., contents of unsubmitted forms, including associated JavaScript validation state) and assumes that pages can be refreshed and result in the same contents. We believe this is an important barrier that keeps users from updating their browsers as frequently as possible. In this paper, we present the design, implementation, and evaluation of Sinatra, which supports in- stantaneous browser updates that do not result in any data loss through a novel Multi-Version eXecution (MVX) approach for JavaScript programs. Sinatra works in pure JavaScript, does not require any browser support, thus works on closed-source browsers, and requires trivial changes to each target page, that can be automated. First, Sinatra captures all the non-determinism available to a JavaScript program (e.g., event handlers executed, expired timers, invocations of Math.random). Our evaluation shows that Sinatra requires 5MB to store such events, and the memory grows at a modest rate of 23.1KB/s as the user keeps interacting with each page. When an update becomes available, Sinatra transfer the state by re-executing the same set of non-deterministic events on the new browser. During this time, which can be as long as 13 seconds, Sinatra uses MVX to allow the user to keep interacting with the old browser. Finally, Sinatra changes the roles in 353ms, and the user starts interacting with the new browser, effectively performing a browser update with zero downtime and no loss of state. ACM Reference Format: Siddhanth Venkateshwaran, Ellen Kidane, and Luís Pina. 2021. Dynamic Software Updates for Unmodified Browsers through Multi-Version Execution. J. ACM 1, 1 (June 2021), 26 pages. https://doi.org/10.1145/nnnnnnn. nnnnnnn 1 INTRODUCTION Browsers are the main way in which most users experience the internet. Browsers are responsible for the safety of user sensitive data, in the form of cookies, saved passwords, and credit card information, and other personal information used to auto-complete forms. Browsers are also arXiv:2106.04655v1 [cs.PL] 8 Jun 2021 responsible for ensuring the integrity of the websites that the user visits, checking certificates and negotiating encrypted HTTPS channels. Given all this, browsers are prime targets for malicious entities. For the common user, the best way to protect their browsers (and the personal data they keep) is to keep the browsers as up-to-date as possible. Authors’ address: Siddhanth Venkateshwaran, [email protected]; Ellen Kidane, [email protected]; Luís Pina, luispina@uic. edu, University of Illinois at Chicago, Chicago, Illinois, USA. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]. © 2021 Association for Computing Machinery. 0004-5411/2021/6-ART $15.00 https://doi.org/10.1145/nnnnnnn.nnnnnnn J. ACM, Vol. 1, No. 1, Article . Publication date: June 2021. 2 Venkateshwaran, Kidane, and Pina Unfortunately, users are slow to update their browsers to a new version. In terms of percentage of users, data for Google Chrome1 and Mozilla Firefox2 show that a new browser version takes about 2 weeks to overtake the previous version, and about 4 weeks to reach its peak. Given the fast pace of browser releases (6 weeks for Google Chrome and 4 weeks for Mozilla Firefox), the amount of users running outdated versions is significant at any given time. Browser developers are aware of the problems caused by running outdated versions, and provide features to entice users to update, from reminding the user that a new update is available to minimizing the inconvenience by reopening all pages (tabs) after the update. Even though popular, the latter feature has two main flaws. First, it assumes that pages can simply be refreshed after the update. Such an assumption fails if a login session expires, which causes the page to refresh to the login portal; or if the contents of the page change with each refresh, as is the case with modern social media. Second, refreshing a page loses all user state accumulated on that page since it was loaded. Such state includes, among others, data in HTML forms and Javascript state. The result is simple: Browser updates result in loss of user data. We believe that this is an important reason that keeps users from updating their browser, which creates the need for a technique to eliminate data loss due to browser updates. Dynamic Software Updating (DSU) techniques can be used for exactly that purpose, updating a program in-process. Unfortunately, state-of-the-art DSU tools cannot handle programs as complex as modern commercial internet browsers (Section 2.1). Also, simply dumping the old browser memory state to disk and reloading it in the new browser does not work, as the new browser may change the internal state representation. Note that the only browser state of interest is the JavaScript state of each page, so we could launch the updated browser and transfer only that state between browsers. Such an approach has two problems. First, the user cannot interact with either browser while transferring the state. Second, the user cannot rollback failed updates, which may result in loss of user data. Multi-Version eXecution (MVX) solves both problems by allowing the user to interact with the old browser while the new browser is receiving the state, and by allowing the user to cancel a failed update simply by closing the new browser. Unfortunately, state-of-the-art MVX tools cannot handle modern commercial internet browsers (Section 2.2), and performing MVX at the JavaScript is not as straightforward due to the event-driven programming paradigm (Section 2.3). In this paper, we present the design and implementation of Sinatra— Stateful Instantaneous browser updates — a novel MVX technique implemented in pure JavaScript. Sinatra requires little changes to the target JavaScript application (Section3), which can be performed automatically for all the pages accessed through an HTTP proxy (Section 3.1). To perform an update (Section 3.2), Sinatra captures all sources of non-determinism accessed by the browser. Then, when an update becomes available, Sinatra launches the updated browser as a separate process, and feeds it the same non-determinism, thus synchronizing the JavaScript state between both browsers. At this point, Sinatra starts performing MVX between the two browsers as the user interacts with the outdated browser, which allows the user to build confidence that the update was successful and that no data was lost. Once the user signals to Sinatra that the update was successful, the user can start interacting with the new browser and terminate the old browser. Sinatra captures all sources of non-determinism available to a JavaScript program, including execution of event handlers (Sections 3.3), and non-deterministic functions such as Math.random (Section 3.4). We implemented Sinatra in pure JavaScript using an extra coordinator process to enable communication between browsers (Section 4.1) that serializes JavaScript non-determinism 1https://gs.statcounter.com/browser-version-market-share/desktop/worldwide/#daily-20201001-20201201 2https://data.firefox.com/dashboard/user-activity J. ACM, Vol. 1, No. 1, Article . Publication date: June 2021. Dynamic Software Updates for Unmodified Browsers through Multi-Version Execution 3 as JSON (Section 4.2). Our implementation also handles all other sources of state in a JavaScript application (Sections 4.2 and 4.3). This paper also presents an extensive evaluation of Sinatra using 4 JavaScript applications and realistic workloads (Section 5.1). Our results show that Sinatra runs with very little performance overhead, adding at most 17.38ms to the execution of event handlers (Section 5.2), which is not noticeable by the user. For realistic user interactions, Sinatra requires 5MB of memory to store the events until a future update happens (Section 5.3). Furthermore, the amount of memory grows constantly with the length of active user interactions, with a maximum rate of 23.1KB/s (Section 5.4), which shows that Sinatra scales well with typical user interactions with modern websites. When performing an update, Sinatra requires at most 13 seconds to transfer the state between browsers (Section 5.5.1). We note that the user can continue to interact with the browser during this time. To switch to the updated browser, Sinatra imposes a pause in user interaction of 352ms or less (Section 5.5.2), which is perceived as instantaneous. At its core, Sinatra is an MVX system that delivers events from one browser to another in 55ms or less (Section 5.6). In short, this paper has the following contributions: (1) The design, and implementation of Sinatra, a system for performing MVX on JavaScript applications.